Amazon Cognito discovery

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Amazon Cognito discovery

    The Amazon Cognito pattern in ServiceNow Discovery and Service Mapping enables authentication, authorization, and user management discovery for AWS customers. It supports use on the ServiceNow AI Platform from London Patch 8, Madrid Patch 2, or later. To discover AWS Cognito resources, customers need to ensure they have the latest Discovery and Service Mapping Patterns application installed from the ServiceNow Store.

    Show full answer Show less

    Prerequisites

    • User Permissions: Users require read-only access to the AWS Cognito ListUserPools API with appropriate POST method and headers configured.
    • AWS Credentials: Configure and activate AWS Credentials on your instance for authentication.
    • Cloud Service Account: Set up a cloud service account of type AWS Datacenter using your AWS account ID and link it to the AWS Credentials.

    Configuration and Execution

    • Discovery Schedule: Create a cloud application schedule for AWS Cognito discovery, setting the discovery type to Cloud application.
    • Execution Pattern: Define and activate a serverless execution pattern specifying the AWS pattern to run; multiple patterns can be created if needed.
    • Full AWS Discovery Schedule: Create a discovery schedule linked to the cloud service account to run all AWS patterns collectively.
    • API Permissions Verification: Download the Cloud Discovery patterns spreadsheet to verify and grant required user permissions and review relevant pattern and CI information.

    Data Collected

    The AWS Cognito pattern collects key configuration item (CI) data including:

    • Main CI: Contains user pool name, account ID (as objectid), and Amazon Resource Name (ARN).
    • Tags: Captures AWS Cognito resource tags with key-value pairs and resource identifiers.
    • CI Relationships: Establishes relationships such as "Hosts:Hosted on" linking cloud authentication CIs to logical datacenters.

    Troubleshooting

    • Discovery Timeout: If discovery fails due to REST timeout, increase the mid.sa.cloud.requesttimeout parameter on the MID Server (default 30000 ms).
    • Pattern Designer Timeout: For debugging timeouts, increase the sa.debugger.maxtimeout parameter on the MID Server (default 240 seconds).

    These adjustments help accommodate large volumes of REST responses and prevent premature timeout failures during discovery and pattern debugging.

    The ServiceNow Discovery and Service Mapping applications use the Amazon AWS Cognito pattern to provide authentication, authorization, and user management functions for AWS customers. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    You can use this pattern on the ServiceNow AI Platform using London Patch 8, Madrid Patch 2, or later releases.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Prerequisites

    User permissions
    Provide user with read-only permission to run the following API:
    • https://cognito-idp.<region>.amazonaws.com
    • Method: POST
    • Body: {\"MaxResults\": 10}
    • Headers: X-Amz-Target:AWSCognitoIdentityProviderService.ListUserPools,Content-Type:application/x-amz-json-1.0
    AWS Credentials
    On your instance, configure credentials of type AWS Credentials and set to Active.
    Cloud service account
    On your instance, configure the cloud service account of type AWS Datacenter and set to AWS account ID. Use the credentials defined in the preceding AWS Credentials.
    Discovery schedule
    Create a cloud application schedule for discovering AWS Cognito and configure the attributes. Set Discovery to Cloud application.
    Execution pattern
    Create and define the serverless execution pattern for cloud application discovery.
    1. Create new Cloud Execution Patterns.
    2. Define Name.
    3. Verify that Active is true.
    4. Verify that Domain is global.
    5. Choose the AWS pattern you want to run.
    6. Create multiple records if you want to run more than one pattern.
    Discovery schedule for full AWS discovery
    Create a discovery schedule from your Cloud service account created in the earlier procedure.
    1. Click on Discover Datacenter and wait for it to finish.
    2. Click Create Discovery Schedule.
    3. This new schedule is created under the Discovery Schedule and runs all AWS patterns.

    Verify the REST API Permissions

    Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available quarterly, so check periodically to be sure you have the latest version of the spreadsheet.

    Note:
    You can test the AWS REST APIs using Postman API platform. For more information, see the How to test AWS REST API using POSTMAN [KB0782183] article in the Now Support Knowledge Base.

    Data collected by Discovery and Service Mapping during horizontal and top-down discovery

    The AWS Cognito pattern collects data.

    Table 1. Collected information from the AWS Cognito pattern
    Field Description
    Main CI: cmdb_ci_cloud_authentication
    name A descriptive name used to identify the user pool.
    object_id This is equal to the account_id and used by IRE identification rules.
    Fqdn Example of an ARN: arn:aws:cognito-idp:eu-west-1:751200741520:userpool/eu-west-1_fim5E2mix

    Tags are also being collected by an extension section that runs following the pattern. The tagging API for AWS specifies the resource type Cognito.

    Table 2. Collected information from the AWS Cognito tags
    Field Description
    cmdb_key_value
    key The actual tag key.
    value The tag value.
    configuration_item The unique resource ID (ARN) that identifies the resource in the AWS console.

    CI relationships

    The AWS Cognito pattern creates the following CI relationship.
    CI Relationship CI
    Cloud authentication [cmdb_ci_cloud_authentication] Hosts:Hosted on Logical datacenter [cmdb_ci_logical_datacenter]

    Troubleshooting

    If the mapping process does not proceed as you expected, follow the following suggestions.
    Symptom Cause Solution
    Discovery fails. The discovery message contains the information about an error caused by the REST timeout. There are many CIs sending the REST call response in the deployment. The MID Server cannot process the REST call response without exceeding the time limit controlled by the mid.sa.cloud.request_timeout parameter. By default, the mid.sa.cloud.request_timeout parameter is set to 30000 milliseconds.
    Increase the value of this parameter on the relevant MID Server and run discovery again.
    Note:
    If the Configuration Parameters related list for the relevant MID Server does not show this parameter, you may need to add it.
    Pattern Designer fails during a debug session. The Pattern Designer message contains information about an error caused by a timeout. The Pattern Designer fails because of a timeout during pattern debugging (and not during discovery). By default, the sa.debugger.max_timeoutparameter is set to 240 seconds.

    Increase the value of this parameter on the relevant MID Server.